By 17 December 2021, the EU Member States had to transpose the EU Whistleblower Protection Directive into national law. The purpose of the directive is to provide stronger protection across EU countries for people wanting to report breaches of EU law. Employees who decide to file a report must now be provided with clear reporting channels and be protected from retaliation. Learn more below on the latest EU directive FAQs and updates to Portugal’s transposition of the Directive.
EU Directive FAQs
How should companies differentiate between the many forms of reportable misconduct?
It is in best practice for companies to accept as many types of whistleblowing reports as possible. Doing so proves to employees that the company believes in the commitment to do the right thing, even if the topics raised go beyond compliance. In turn, this creates an employee culture of trust through the company’s ability to act, and take reports seriously, no matter what the report entails.
In addition, by allowing employees to send all reports to a whistleblowing channel, it stops confusion surrounding where employees can go to make a report– each case can then be sent across and followed up by the right internal people, if needed.
Companies should also categorise whistleblowing reports themselves, rather than leaving the burden up to the whistleblower. Whistleblowers are not often topic experts, nor trained in categorising reports - forcing them to push their report in a certain direction or category may scare them away. Also, whistleblowers are unlikely to have a broader picture of the wrongdoing than the organisation.
It is also best to involve legal experts in the early stages of investigating a report. Wrong categorisation of a case can have negative consequences for a company.
How can legal entities comply with requirements to inform about the right of external reporting?
Firstly, external reporting means oral or written communication on information of breaches to a competent authority outside of a companies’ whistleblowing system.
A reporting person should be able to freely choose the most appropriate reporting channel, depending on the individual circumstances of their case, whether that be internally or externally. If a whistleblower still decides not to use one of the companies’ available reporting channels and would prefer to speak to a trusted person outside the organisation, that option should be available.
It is important that companies provide clear internal instructions about where whistleblowers can go should they decide to report a case externally to a relevant authority. Companies must list the relevant whistleblowing authorities available, depending on the member state they are based in.
A whistleblower, who is not presented with both internal and external options, and who doesn’t know where to go, could end up going public, with all its potential negative reputational risks for the organisation and individuals involved.
How do whistleblower protections apply when the whistleblower has already been involved in a separate case of wrongdoing?
There may be occasional incidences in which a person who has previously been reported or wrongdoing, blows the whistle to improve their personal position and protection.
The EU Whistleblowing Directive states that a reporting person, can qualify for protection if:
- The whistleblower had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that the information fell within the scope of the Directive; and
- The whistleblower reported either internally (…) or externally (…) or made a public disclosure
This means that a whistleblower does not need to meet a requirement of raising a report in good faith, nor in the public interest, for a report to be legitimate. The motive for a whistleblower raising a report is irrelevant, as to whether company protection is available. This includes whistleblowers who have themselves been reported in a previous or ongoing case of wrongdoing.
Portugal: June 2022
In June, Portugal transposed two new national laws, one tackling the prevention of corruption, the other transposing and going further than the legal whistleblowing requirements of the EU Directive. Portugal is a good example of how different countries are interpreting the Directive’s rules in different ways. Learn more about the two new laws below:
Portugal: Decree-Law no. 109-E/2021, General Regime for the Prevention of Corruption (RGCP)
On the 8 June 2022, the Portuguese Decree Law 109-E/2021, which creates the National Anti-Corruption Mechanism (MENAC) and establishes the General Regime for Prevention of Corruption (RGPC), came into play, following the approval of the National Anti-Corruption Strategy.
The 109-E/2021 law will affect public entities with over 50 employees,private companies headquartered in Portugal, The Bank of Portugal, and subsidiaries of foreign companies. The law will help to transpose the RGCP rules, by improving the transparency of organisational practices, detecting corruption risks, and engaging the private sector in the prevention of corruption.
What does The Portuguese Decree Law 109-E/2021 Include?
To prevent potential risks of company corruption and rule breaking, entities covered by the RGPC, must implement a clear set of rules. This set rules includes:
1. An internal Code of Conduct, to be reviewed every three years, or when there are changes to the corporate structure.
2. A variety of training programs, to ensure employees are aware of corruption policies and procedures.
3. Internal whistleblowing channels, in accordance with the rules of Law No. 93/2021, for employees to report corruption and misconduct.
4. An internal compliance officer, appointed to monitor the implementation and running’s of the company’s compliance program.
5. A Risk Prevention Plan (RPP) – a plan to prevent risks of corruption, to be reviewed every three years.
6. Internal control procedures and risk assessment, relating to the RPP, to identify conflicts of interest within private entities.
The newly created National Anti-Corruption Mechanism (MENAC), an independent legal entity overseeing the 109-E/2021 laws, can distribute large penalties to businesses who do not comply with the requirements. Organisations, who do not transpose the rules, may be fined up to € 44,891.81, or up to €3,740.98, in cases for individuals. This is effective 8 June 2023 for small companies and 8 June 2024 for medium-sized companies.
Law No. 93/2021, Transposition of The EU Whistleblower Protection Directive
The Portuguese Whistleblower Protection Law (Law no. 93/2021) came into play 18 June 2022. Like all members of the European Union, Portugal was required to transpose the EU Whistleblower Protection Directive into national law by 17 December 2021. Portugal has become one of the first countries to transpose the EU Directive and has taken the rules within the directive further than the minimum standards required for all EU counties.
New Law No.93 goes beyond the requirements of the directive:
- If requested by a whistleblower, the entity must inform of the result of “the analyses” within 15 days of report completion.
- Violent, economic-financial, and organised criminal actions are included within the Directive and can be reported.
- The National Anti-Corruption Mechanism (MENAC) enforces the 109-E/2021 law and give out penalties to non-complying companies.
- A record of each report must be kept for a minimum of five years.
- Fines can be issued of up to EUR 125,000.
Though the updates to Portugal’s transposition are specific to that country, the practice of expanding upon the Directive's scope is visible in other countries still working to codify the Directive into their national laws. As news about the Directive's transpositions develops, we’ll share those updates and answers to the most frequently asked questions.
For more information about the EU Whistleblowing Directive and how to keep your company in compliance: